diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 7f149d0..d449192 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -53,6 +53,15 @@ jobs:
       - name: Build site
         run: npm run build
 
+      # Astro/Vite does not copy dotfiles from public/ into dist/, so .htaccess
+      # never reaches the deployed origin and Apache never sees the security
+      # headers it sets. Copy it explicitly. Fail if the source is missing
+      # rather than silently shipping a header-less site.
+      - name: Copy .htaccess into dist
+        run: |
+          test -f public/.htaccess
+          cp public/.htaccess dist/.htaccess
+
       - name: Guard — no TBD markers may ship in built HTML
         run: |
           if grep -rlE '(TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then